Bài viết gắn tag AWS.https://cloudsecop.net/https://cloudsecop.net/blog/aws-remote-swe-agents-strands/https://cloudsecop.net/blog/aws-remote-swe-agents-strands/AWS Strands Agents + Bedrock AgentCore cho autonomous SWE agent. GitHub issue → PR. Threat model, IAM blast radius, audit. So sánh Copilot Workspace và Devin.Mon, 12 Jan 2026 00:00:00 GMTAWSBedrockAI AgentsDevOpsCloud SecurityKhaVanhttps://cloudsecop.net/blog/migration-aws-to-cloudflare/https://cloudsecop.net/blog/migration-aws-to-cloudflare/Playbook migrate production từ AWS (Lambda, DynamoDB, RDS, S3, SQS, ElastiCache) sang Cloudflare: mapping primitive, 3 chiến lược, data migration, cutover, rollback, 10 pitfall.Thu, 01 Jan 2026 00:00:00 GMTCloudflareCloudflare DeveloperMigrationAWSServerlessKhaVanhttps://cloudsecop.net/blog/cost-model-production/https://cloudsecop.net/blog/cost-model-production/Pricing từng primitive Cloudflare (Workers, D1, KV, R2, Queues, DOs, Vectorize, Workers AI), breakpoint, so sánh AWS, 3 scenario: blog, SaaS 10k user, app 100M req/tháng.Wed, 24 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperCostAWSPricingKhaVanhttps://cloudsecop.net/blog/mcp-server-cloudflare-vs-bedrock-agentcore/https://cloudsecop.net/blog/mcp-server-cloudflare-vs-bedrock-agentcore/So sánh MCP server Cloudflare (Workers + R2/D1/KV, OAuth) với AWS Bedrock AgentCore (IAM, dài-hạn). Latency, cost, auth, kịch bản dùng — và tôi chọn cái nào.Sun, 30 Nov 2025 00:00:00 GMTCloudflareWorkersAWSMCPAI AgentsKhaVanhttps://cloudsecop.net/blog/aws-well-architected-custom-lens/https://cloudsecop.net/blog/aws-well-architected-custom-lens/Custom lens AWS Well-Architected: thêm pillar riêng cho org, JSON schema, deploy CloudFormation, attach workload. Use case Vietnam compliance Circular 09, Decree 53.Mon, 08 Sep 2025 00:00:00 GMTAWSCloud SecurityGovernanceWell-ArchitectedArchitectureKhaVanhttps://cloudsecop.net/blog/aws-security-services-best-practices/https://cloudsecop.net/blog/aws-security-services-best-practices/AWS vừa publish best-practices guide cho 10 dịch vụ bảo mật (GuardDuty, Security Hub, Macie, Inspector, WAF, Network Firewall). Cấu trúc guide và lộ trình triển khai thực tế.Thu, 31 Jul 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity HubBest PracticesKhaVanhttps://cloudsecop.net/blog/aws-security-maturity-model-v2/https://cloudsecop.net/blog/aws-security-maturity-model-v2/AWS Security Maturity Model v2: 74 kiểm soát chia 4 giai đoạn (Quick Wins, Foundational, Efficient, Optimized), thứ tự nên làm, bẫy thường gặp, ánh xạ vào Organization.Sun, 27 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityGovernanceZero TrustKhaVanhttps://cloudsecop.net/blog/bedrock-workers-oidc-case-study/https://cloudsecop.net/blog/bedrock-workers-oidc-case-study/Worker mint RS256 JWT → STS AssumeRoleWithWebIdentity → Bedrock Claude Opus. Số liệu thực: token 5ms, STS 200ms, Bedrock 2-3s, cached 50ms.Tue, 22 Jul 2025 00:00:00 GMTCloudflareWorkersAWSBedrockOIDCCloud SecurityKhaVanhttps://cloudsecop.net/blog/aws-security-maturity-model-assessment-tool/https://cloudsecop.net/blog/aws-security-maturity-model-assessment-tool/Ghi chú dùng AWS Security Maturity Model Assessment Tool đánh giá posture theo 4 giai đoạn (Quick Wins, Foundational, Efficient, Optimized): kiến trúc, quy trình, JSON/Excel.Sun, 20 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityAssessmentGovernanceKhaVanhttps://cloudsecop.net/blog/hardeneks-eks-security/https://cloudsecop.net/blog/hardeneks-eks-security/hardeneks là Python CLI chạy 100+ EKS best-practice check. Lý do tôi chạy ở PR thay vì weekly cron, so sánh kube-bench/kube-hunter, finding thực tế.Wed, 04 Jun 2025 00:00:00 GMTAWSEKSKubernetesCloud SecurityComplianceKhaVanhttps://cloudsecop.net/blog/cloudflare-access-vs-aws-iam-idc/https://cloudsecop.net/blog/cloudflare-access-vs-aws-iam-idc/Đừng cố unify Cloudflare Access và AWS IAM Identity Center. Pattern thực dụng: Okta/Entra → SSO cả hai, SCIM provisioning, per-app policy, audit correlation.Thu, 15 May 2025 00:00:00 GMTCloudflareCloudflare OneAWSIdentityZero TrustKhaVanhttps://cloudsecop.net/blog/kms-key-policies-deep-dive/https://cloudsecop.net/blog/kms-key-policies-deep-dive/Cơ chế evaluation của KMS key policy, cross-account access, condition keys, grants, key rotation, production patterns. Kèm JSON policy examples và checklist cho production.Fri, 18 Apr 2025 00:00:00 GMTAWSCloud SecurityKMSEncryptionIAMKhaVanhttps://cloudsecop.net/blog/guardduty-auto-remediation/https://cloudsecop.net/blog/guardduty-auto-remediation/Pipeline tự động phản ứng sự cố bảo mật với GuardDuty, EventBridge và Lambda: cô lập instance, snapshot forensic, thu hồi credentials, mở rộng multi-account với Organizations.Mon, 14 Apr 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity AutomationEventBridgeKhaVanhttps://cloudsecop.net/blog/aws-secrets-manager-vs-cloudflare-secrets/https://cloudsecop.net/blog/aws-secrets-manager-vs-cloudflare-secrets/AWS Secrets Manager $0.40/secret/mo + auto-rotation Lambda vs Cloudflare Secrets Store free trên Workers Paid. Khi nào chọn cái nào, replication pattern.Fri, 28 Feb 2025 00:00:00 GMTAWSCloudflareSecrets ManagerSecurityDevOpsKhaVanhttps://cloudsecop.net/blog/pingora-vs-aws-alb-nlb/https://cloudsecop.net/blog/pingora-vs-aws-alb-nlb/Pingora xử lý 40M+ req/sec ở Cloudflare. Khi nào self-host bằng pingora-core/pingora-proxy thắng AWS ALB $20/tháng + LCU và NLB managed.Tue, 04 Feb 2025 00:00:00 GMTCloudflareNetworkingRustAWSPerformanceKhaVanhttps://cloudsecop.net/blog/workload-identity-federation-aws-gcp/https://cloudsecop.net/blog/workload-identity-federation-aws-gcp/Workload Identity Federation deep dive: vì sao Service Account Key là anti-pattern, luồng token AWS STS → Google STS, attribute mapping, impersonation, threat model, Terraform.Mon, 27 Jan 2025 00:00:00 GMTCloud SecurityAWSGCPIdentity FederationMulti-CloudZero TrustKhaVanhttps://cloudsecop.net/blog/aws-iam-access-key-auto-rotation/https://cloudsecop.net/blog/aws-iam-access-key-auto-rotation/Một giải pháp AWS-native để rotate, disable và delete IAM access key theo chính sách: đi sâu vào kiến trúc nhiều account, đánh đổi và vận hành thực tế.Tue, 31 Dec 2024 00:00:00 GMTAWSIAMSecurity AutomationSecrets ManagerLambdaKhaVanhttps://cloudsecop.net/blog/cspm-across-multiple-landing-zones/https://cloudsecop.net/blog/cspm-across-multiple-landing-zones/Cách mình thiết kế CSPM engine nội bộ quét song song nhiều AWS Landing Zone bằng Prowler, lưu finding vào D1, artifact vào R2, dashboard duy nhất cho Security Operations.Fri, 20 Dec 2024 00:00:00 GMTCloud SecurityAWSCSPMProwlerCloudflareKhaVan